Since 2004, a source for ranting, reviews and InfoSec news

Menu

Scanning External Drives on Connection

Over on Symantec Connect (the Symantec support forum), I frequently see people ask about the ability to automatically scan a removable drive when it is connected to a system. They also submit it as an “idea”. The Idea section is where you can make product suggestions that users can discuss and vote up or down.

I often wonder where this idea comes from because it seems like a particularly bad idea. It seems like someone decided that was the only way to solve the problem of USB based malware like conficker. That isn’t the case and it can be very inconvenient.

If I connect a 1 Gb drive to the system do I really want to wait while Symantec Endpoint Protection scans the full hard drive? I dont think so. Endpoint Protection can disable autorun solving 80% of the malware problem, and real-time scanning will still scan files as they are actually used.

Like most bad ideas this requirement comes from hardening guides and auditors. I was reading the Critical Security Controls and found the following:

Quick wins: Organizations should configure systems so that they conduct an automated anti-malware scan of removable media when it is inserted.

As I said, I think a full drive scan is completely unwarranted. Do any other antimalware products have this capability?